Customer Needs Assessment

Determine Risk Tolerance

Determine Risk Tolerance

An important part of implementing access controls is evaluating your com- pany’s risk tolerance. What type of data does your company store, and what are the consequences if a hacker breaches your network security and steals or damages that data?

The more valuable your network assets are, the more severe the consequences if network security is compromised. Because companies today rely heavily on their networks to run their business, nearly every company network stores confidential customer information and proprietary company information. However, some customer information—such as credit card numbers—is particularly valuable.

When you evaluate the information stored on your network, you must ask yourself many questions. What is the information worth to your company and its customers? How much effort will hackers make to steal this information? If you are storing credit card numbers, for example, hackers have a strong motivation for infiltrating your network. On the other hand, do not assume that your network is safe from attack if you are not storing credit card information. For example, information stored about employees as a matter of course can be quite attractive to identity thieves. Do you collect and store information about customers? Your organization has an obligation—perhaps a very real legal obligation—to protect that data. No network is immune from attack.

You must also estimate the cost of downtime if systems are damaged and employees cannot use the network. How will downtime affect your company’s productivity? Can your company continue to operate without impacting service to customers?

Damage is higher, of course, if the attack is made public. As part of a study of 475 companies, the IT Policy Compliance Group “conducted benchmarks focused on the expected financial losses associated with data losses and thefts that are publicly disclosed.” The compliance group concluded that the “expected financial consequences” were “changes in the price of stock for publicly traded firms,” “customer and revenue losses,” and unspecified “addi- tional expenses and costs.” (Why Compliance Pays: Reputations and Revenues at Risk, a Benchmark Research Report, July 2007, p. 10. You can download this report at http://www.itpolicycompliance.com/

research_reports/spend_management/.)

2-15